Securing Critical Control Systems in the Power Industry

摘要

It has become almost a weekly occurrence to read about some new cyber security attack, whether it is intended to obtain private information or to deliberately bring down a particular company’s network. However, cyber security attacks are just not limited to IT networks. With the advent of Stuxnet, cyber security attacks on control and SCADA systems have become a reality. The threat of cyber security attacks on our nation’s critical control systems infrastructure, which includes our power generation facilities, presents yet another challenge to utility directors and staff. We will discuss what the federal government is doing about cyber security and the impact of the latest Presidential Executive Order. As part of the growing need for cyber security, the types of malwares and viruses that have been designed to attack SCADA systems (such as Stuxnet and Flame) will be examined. To address the need to secure our critical control systems, the paper will discuss the latest standards, regulations and guidelines that can be applied to the power industry. The discussion will focus on the NERC CIP Version 5 standards and the ISA99, Industrial Automation and Control Systems Security standards. Based on the ISA99 standards and Department of Homeland Security guidelines, there are a number of best practices that engineers can employ in designing control systems networks and end users can implement for existing systems. These include authentication and auditing, intrusion detection, and defense-in-depth strategies including firewalls and virtual private networks (VPNs). We will focus on these best practices and how they are applicable to the Version 5 NERC-CIP standards.